forked from pool/python-M2Crypto
Matej Cepl
a86aefab3a
- OpenSSL allows the verificaton to continue on
UNABLE_TO_VERIFY_LEAF_SIGNATURE
* This unifies the behaviour of a single certificate with an
unknown CA certificate with a self-signed certificate.
- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
- Add source signature file
OBS-URL: https://build.opensuse.org/request/show/873095
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=96
48 lines
2.1 KiB
Diff
48 lines
2.1 KiB
Diff
From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001
|
|
From: Casey Deccio <casey@deccio.net>
|
|
Date: Fri, 8 Jan 2021 12:43:09 -0700
|
|
Subject: [PATCH] Allow verify_cb_* to be called with ok=True
|
|
|
|
With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
|
OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
|
---
|
|
tests/test_ssl.py | 14 ++++++++++++--
|
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
|
|
index 92b6942c..7a3271aa 100644
|
|
--- a/tests/test_ssl.py
|
|
+++ b/tests/test_ssl.py
|
|
@@ -59,8 +59,13 @@ def allocate_srv_port():
|
|
|
|
|
|
def verify_cb_new_function(ok, store):
|
|
- assert not ok
|
|
err = store.get_error()
|
|
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
|
|
+ # aborting, this callback is called to retrieve additional error
|
|
+ # information. In this case, ok might not be False.
|
|
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
|
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
|
+ assert not ok
|
|
assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
|
|
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
|
|
m2.X509_V_ERR_CERT_UNTRUSTED,
|
|
@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
|
|
|
|
def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok):
|
|
try:
|
|
- self.assertFalse(ok)
|
|
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
|
|
+ # aborting, this callback is called to retrieve additional error
|
|
+ # information. In this case, ok might not be False.
|
|
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
|
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
|
+ self.assertFalse(ok)
|
|
self.assertIn(err,
|
|
[m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
|
|
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
|
|
--
|
|
GitLab
|
|
|